#### (19) World Intellectual Property Organization International Bureau



### TO STATE A STATE OF THE STATE O

#### (43) International Publication Date 18 December 2003 (18.12.2003)

#### **PCT**

# (10) International Publication Number WO 03/104973 A1

(51) International Patent Classification7:

\_\_\_\_

G06F 7/72

(21) International Application Number: PCT/IB03/02583

(22) International Filing Date:

4 June 2003 (04.06.2003)

(25) Filing Language:

English

(26) Publication Language:

English

(30) Priority Data:

0213242.1

7 June 2002 (07.06.2002) GB

- (71) Applicant (for all designated States except US): KONIN-KLIJKE PHILIPS ELECTRONICS N.V. [NL/NL]; Groenewoudseweg 1, NL-5621 BA Eindhoven (NL).
- (72) Inventor; and
- (75) Inventor/Applicant (for US only): HUBERT, Gerardus, T., M. [NL/NL]; c/o Philips Intellectual Property & Standards, Cross Oak Lane, Redhill, Surrey RH1 5HA (GB).
- (74) Agent: TURNER, Richard, C.; Philips Intellectual Property & Standards, Cross Oak Lane, Redhill, Surrey RH1 5HA (GB).

- (81) Designated States (national): AE, AG, AL, AM, AT, AU, AZ, BA, BB, BG, BR, BY, BZ, CA, CH, CN, CO, CR, CU, CZ, DE, DK, DM, DZ, EC, EE, ES, FI, GB, GD, GE, GH, GM, HR, HU, ID, II., IN, IS, JP, KE, KG, KP, KR, KZ, LC, LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, MX, MZ, NO, NZ, OM, PH, PL, PT, RO, RU, SC, SD, SE, SG, SK, SL, TJ, TM, TN, TR, TT, TZ, UA, UG, US, UZ, VC, VN, YU, ZA, ZM, ZW.
- (84) Designated States (regional): ARIPO patent (GH, GM, KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZM, ZW), Eurasian patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), European patent (AT, BE, BG, CH, CY, CZ, DE, DK, EE, ES, FI, FR, GB, GR, HU, IE, IT, LU, MC, NL, PT, RO, SE, SI, SK, TR), OAPI patent (BF, BJ, CF, CG, CI, CM, GA, GN, GQ, GW, ML, MR, NE, SN, TD, TG).

#### Published:

- with international search report
- before the expiration of the time limit for amending the claims and to be republished in the event of receipt of amendments

For two-letter codes and other abbreviations, refer to the "Guidance Notes on Codes and Abbreviations" appearing at the beginning of each regular issue of the PCT Gazette.

(54) Title: AES MIXCOLUMN TRANSFORM



(57) Abstract: A simplified logic circuit for performing the AES Rijndael MixColumns transform exploits the common relationship between each of the successive rows of the transform matrix and its preceding row. A logic circuit for performing multiplication of an  $(m \times n)$  matrix by a  $(1 \times n)$  or by a  $(m \times 1)$  matrix, where m is a number of rows and n is a number of columns, and where each successive row, m, of n elements is a predetermined row permutation of a preceding row comprises: n multiplication circuits; n logic circuits; n registers for receiving logical output from the logic circuits; feedback logic for routing the contents of each register to a selected one of inputs of the logic circuits in accordance with a feedback plan that corresponds to the common relationship between successive matrix rows; and control means for successively providing as input to each of the n multiplication circuits each element in the  $(1 \times n)$  or  $(m \times 1)$  matrix.

WO 03/104973

PCT/IB03/02583

1

#### **DESCRIPTION**

#### **AES MIXCOLUMN TRANSFORM**

5

10

15

20

25

30

The present invention relates to methods and apparatus for implementation of the Advanced Encryption Standard (AES) algorithm and in particular to methods and apparatus for performing the matrix multiplication operation that constitutes the AES MixColumn transformation in each of the encryption and decryption rounds of the algorithm.

The invention has particular, though not exclusive, application in cryptographic devices such as those installed in smart cards and other devices where processor and memory resources are somewhat limited and many operations of the cryptographic algorithm are performed in dedicated ASIC or FPGA hardware.

The AES algorithm has wide application in the encryption of data to be transmitted in a secure fashion. One application is in the transmittal of personal and/or financial information from a smartcard to a card reader device. Confidential data stored on the card must not be retrieved from the card except in encrypted form to ensure that the data so retrieved cannot be intercepted and read by an unauthorised third party. Only the authorised reader is able to decrypt the data retrieved from the card.

Similarly, data supplied by the card reader to be stored in the card must be passed to the card in encrypted form, and decrypted by the card for storage and subsequent retrieval.

While the AES algorithm is relatively straightforward to implement in a conventional computer system deploying state of the art processor and memory circuits, in a smartcard application, the processor and memory resource is very limited, and many functions must be executed in dedicated hardware, such as ASICs or FPGAs.

There is therefore a requirement for hardware implementations of the procedures required in the AES algorithm which implementations require the minimum use of hardware resource.

It is an object of the present invention to provide suitable circuitry for effecting the MixColumn transform deployed in the standard AES (Rijndael) cryptographic algorithm, both for encryption and decryption.

According to one aspect, the present invention provides a logic circuit for multiplication of an  $(m \times n)$  matrix by a  $(1 \times n)$  or by a  $(m \times 1)$  matrix, where m is a number of rows and n is a number of columns, and wherein each successive row m, of n elements is a predetermined row permutation of a preceding row, the circuit comprising:

n multiplication circuits each having an input and an output which returns the value of said input multiplied by a predetermined multiplicand;

n logic circuits, each for executing a predetermined logical combination of a first input and a second input to provide a logical output, the first input being coupled to the output of a corresponding one of the n multiplication circuits;

n registers for receiving said logical output;

10

15

20

25

30

feedback logic for routing the contents of each register to a selected one of the second inputs in accordance with a feedback plan that corresponds to the predetermined row permutation; and

control means for successively providing as input to each of the n multiplication circuits each element in the (1  $\times$  n) or (m  $\times$  1) matrix.

Embodiments of the present invention will now be described by way of example and with reference to the accompanying drawings in which:

Figure 1 is a flow diagram illustrating implementation of an encryption operation using the AES block cipher algorithm; and

Figure 2 is a schematic diagram of a functional logic block for performing the MixColumns transform.

10

15

20

25

30

The AES algorithm for encryption of plaintext to ciphertext is shown in figure 1. The AES algorithm may be implemented using a 128-bit, a 192-bit or a 256-bit key operating on successive 128-bit blocks of input data. The present invention is applicable to all of these implementations. Figure 1 will now be described in the context of the basic implementation using a 128-bit key.

An initial 128-bit block of input plaintext 10 is XOR-combined 11 with an original 128-bit key 12 in an initial round 15. The output 13 from this initial round 15 is then passed through a number of repeated transform stages, in an encryption round 28 which includes the SubBytes transform 20, the ShiftRows transform 21 and the MixColumns transform 22 in accordance with the defined AES algorithm.

The output from the MixColumns transform 22 is XOR-combined 23 with a new 128-bit round key 26, which has been derived 25 from the initial (original) key 12. The output from this XOR-combination 23 is fed back to pass through the encryption round 28 a further number of times, the number depending upon the particular implementation of the algorithm.

For each successive iteration through the encryption round 28, a new round key 26' is derived from the existing round key 26 according to the AES round key schedule.

The number of iterations (Nr - 1) of the encryption round 28 is nine where a 128-bit encryption key is being used, eleven where a 192-bit encryption key is being used, and thirteen where a 256-bit encryption key is being used.

After the requisite number (Nr-1) of encryption rounds 28, a final round, Nr, is entered under the control of decision box 24. The final round 30 comprises a further SubBytes transform 31, a further ShiftRows transform 32, and a subsequent XOR-combination 33 of the result with a final round key 36 generated 35 from the previous round key. The output therefrom comprises the ciphertext output 39 of the encryption algorithm.

The present invention relates particularly to the performing of the MixColumns transform 22. Through the rounds 28, 30, the 128-bit blocks

being processed are conveniently represented as 16 8-bit blocks in a 4  $\times$  4 matrix, as  $s_{\text{row, column}}$ , according to the pattern,

| \$0,0            | S <sub>0,1</sub> | S <sub>0,2</sub> | S <sub>0,3</sub> |
|------------------|------------------|------------------|------------------|
| S <sub>1,0</sub> | S <sub>1,1</sub> | S <sub>1,2</sub> | S <sub>1,3</sub> |
| S <sub>2,0</sub> | S <sub>2,1</sub> | S <sub>2,2</sub> | S <sub>2,3</sub> |
| S <sub>3,0</sub> | S <sub>3,1</sub> | S <sub>3,2</sub> | S <sub>3,3</sub> |

5

In the MixColumns transform 22, the columns of this state are considered as polynomials over  $GF(2^8)$  and multiplied modulo  $(x^4 + 1)$  with a predetermined fixed polynomial a(x), given by:

10

$$a(x) = a_3x^3 + a_2x^2 + a_1x + a_0$$

in which, represented as hexadecimal values,

 $a_3 = 03 h$ 

 $a_2 = 01 h$ 

 $a_1 = 01 h$ 

 $a_0 = 02 h$ .

20

The polynomial is co-prime to  $x^4 + 1$  and is therefore invertible.

For encryption, the MixColumns transform can therefore be expressed

as

 $s_{r,c} \rightarrow s'_{r,c},$  for each of the columns in s.

5

$$\begin{pmatrix} s'_{0_{F}} \\ s'_{1_{F}} \\ s'_{2_{F}} \\ s'_{3_{C}} \end{pmatrix} = \begin{pmatrix} a_{0} \ a_{3} \ a_{2} \ a_{1} \\ a_{1} \ a_{0} \ a_{3} \ a_{2} \\ a_{2} \ a_{1} \ a_{0} \ a_{3} \\ a_{3} \ a_{2} \ a_{1} \ a_{0} \end{pmatrix} \begin{pmatrix} s_{0,c} \\ s_{1,c} \\ s_{2,c} \\ s_{3,c} \end{pmatrix} = \begin{pmatrix} 02 \ 03 \ 01 \ 01 \\ 01 \ 02 \ 03 \ 01 \\ 01 \ 01 \ 02 \ 03 \\ 03 \ 01 \ 01 \ 02 \end{pmatrix} \begin{pmatrix} s_{0,c} \\ s_{1,c} \\ s_{2,c} \\ s_{3,c} \end{pmatrix}$$

The evaluation of this matrix multiplication is:

5

$$s'_{0,c} = \{02\}^* s_{0,c} \oplus \{03\}^* s_{1,c} \oplus s_{2,c} \oplus s_{3,c}$$

$$s'_{1,c} = s_{0,c} \oplus \{02\}^* s_{1,c} \oplus \{03\}^* s_{2,c} \oplus s_{3,c}$$

$$s'_{2,c} = s_{0,c} \oplus s_{1,c} \oplus \{02\}^* s_{2,c} \oplus \{03\} s_{3,c}$$

$$10 \qquad s'_{3,c} = \{03\}^* s_{0,c} \oplus s_{1,c} \oplus s_{2,c} \oplus \{02\}^* s_{3,c}$$

During decryption, the inverse of this operation is required. It is given by the following matrix multiplication.

15

$$\begin{pmatrix} \mathbf{s'}_{0c} \\ \mathbf{s'}_{1c} \\ \mathbf{s'}_{2c} \\ \mathbf{s'}_{3c} \end{pmatrix} = \begin{pmatrix} b_0 \ b_3 \ b_2 \ b_1 \\ b_1 \ b_0 \ b_3 \ b_2 \\ b_2 \ b_1 \ b_0 \ b_3 \\ b_3 \ b_2 \ b_1 \ b_0 \end{pmatrix} \begin{pmatrix} \mathbf{s}_{0,c} \\ \mathbf{s}_{1,c} \\ \mathbf{s}_{2,c} \\ \mathbf{s}_{3,c} \end{pmatrix} = \begin{pmatrix} 0E \ 0B \ 0B \ 0B \ 0B \\ 09 \ 0E \ 0E \ 0D \\ 0D \ 09 \ 0E \ 0B \\ 0B \ 0D \ 09 \ 0E \end{pmatrix} \begin{pmatrix} \mathbf{s}_{0,c} \\ \mathbf{s}_{1,c} \\ \mathbf{s}_{2,c} \\ \mathbf{s}_{3,c} \end{pmatrix}$$

The evaluation of this matrix multiplication is:

6

It is noted that the MixColumns transform matrix has the special property that each successive row is a shifted or rotated version of the preceding row. In general, each element in a row appears in every row but in a different position in the row, and specifically, for the MixColumns transform matrix the different position of each element for each row constitutes a single position right shift or rotation.

According to the present invention, it has been recognised that this property allows the multiplication of each column of the state **s** to be achieved with significantly reduced hardware.

Figure 2 illustrates an exemplary embodiment of hardware logic 50 adapted for the multiplication of an  $m \times n$  matrix by a 1 × n matrix, in which the relationship between each successive row of n elements of the  $m \times n$  matrix is a predetermined row shift. For the AES MixColumns transform, m = 4, n = 4 and the predetermined relationship is a single right shift.

15

20

30

10

The logic 50 comprises four 8-bit multiplication circuits 60 ... 63, four 8-bit XOR gates 70 ... 73 and four feedback / output registers 80 ... 83, shown as  $MixCol_0$  ...  $MixCol_3$ . Each multiplication circuit 70 ... 73 is adapted for multiplication of an input by one of the matrix coefficients  $c_0$ ,  $c_1$ ,  $c_2$ ,  $c_3$ . Each of the XOR gates 70 ... 73 may be implemented using any appropriate combination of logic elements required to execute the appropriate logical combination of two inputs, as described hereinafter.

For encryption rounds, the values of  $c_0 \dots c_3$  are, respectively,  $a_0 \dots a_3$  as defined above. For decryption rounds, the values of  $c_0 \dots c_3$  are, respectively,  $b_0 \dots b_3$  as defined above. The output of each multiplication circuit  $60 \dots 63$  is coupled to a first input of a corresponding XOR gate  $70 \dots 73$ . The output of each XOR gate  $70 \dots 73$  is coupled to a corresponding MixCol register  $80 \dots 83$ . The output of each MixCol register  $80 \dots 83$  is coupled to the second input of one of the XOR gates  $70 \dots 73$  according to a feedback plan  $90 \dots 93$  that corresponds to the row shift function that defines the relationship between successive rows of the matrix. In the present case, the feedback plan  $90 \dots 93$  implements the right row shift function between

successive rows of the matrices  $a_{r,c}$  (encryption) and  $b_{r,c}$  (decryption) — more generally the matrix  $c_{r,c}$ .

During operation of the circuit 50,  $s_{0c}$ ,  $s_{1c}$ ,  $s_{2c}$ ,  $s_{3c}$  are sequentially offered to the multiplication logic 60 ... 63 on successive cycles. At the outset of each column multiplication, the registers MixCol<sub>0</sub> to MixCol<sub>3</sub> are pre-set to zero.

After the 1st cycle:

 $MixCol_0 = c_0.s_{0c}$ 

 $10 \quad MixCol_1 = c_1.s_{0c}$ 

 $MixCol_2 = c_2.s_{0c}$ 

 $MixCol_3 = c_3.s_{0c}$ 

After the 2<sup>nd</sup> cycle:

15  $MixCol_0 = c_0.s_{1c} \oplus c_1.s_{0c}$ 

 $MixCol_1 = c_1.s_{1c} \oplus c_2.s_{0c}$ 

 $MixCol_2 = c_2.s_{1c} \oplus c_3.s_{0c}$ 

 $MixCol_3 = c_3.s_{1c} \oplus c_0.s_{0c}$ 

20 After the 3<sup>rd</sup> cycle:

 $MixCol_0 = c_0.s_{2c} \oplus c_1.s_{1c} \oplus c_2.s_{0c}$ 

 $MixCol_1 = c_1.s_{2c} \oplus c_2.s_{1c} \oplus c_3.s_{0c}$ 

 $MixCol_2 = c_2.s_{2c} \oplus c_3.s_{1c} \oplus c_0.s_{0c}$ 

 $MixCol_3 = c_3.s_{2c} \oplus c_0.s_{1c} \oplus c_1.s_{0c}$ 

25

After the 4<sup>th</sup> cycle:

 $MixCol_0 = c_0.s_{3c} \oplus c_1.s_{2c} \oplus c_2.s_{1c} \oplus c_3.s_{0c}$ 

 $MixCol_1 = c_1.s_{3c} \oplus c_2.s_{2c} \oplus c_3.s_{1c} \oplus c_0.s_{0c}$ 

 $MixCol_2 = c_2.s_{3c} \oplus c_3.s_{2c} \oplus c_0.s_{1c} \oplus c_1.s_{0c}$ 

30 MixCol<sub>3</sub> =  $c_3.s_{3c} \oplus c_0.s_{2c} \oplus c_1.s_{1c} \oplus c_2.s_{0c}$ 

PCT/IB03/02583

8

Rearranging these outputs, according to the feedback plan 90 ... 93 gives the outputs:

MixCol<sub>1</sub> =  $s'_{0,c}$ 5 MixCol<sub>2</sub> =  $s'_{1,c}$ MixCol<sub>3</sub> =  $s'_{2,c}$ MixCol<sub>0</sub> =  $s'_{0,c}$ 

which is the required result.

10

15

It will be noted that, generally speaking, the number of rows, m, in the matrix determines the number of cycles required, while the number of columns, n, determines the number of logic groups (multipliers 60 ... 63, XOR gates 70 ... 73, and registers 80 ... 83) required.

The multiplication logic 60 ... 63 can be implemented using any suitable logic. In a preferred embodiment, the logic is provided for both encryption and decryption combining certain logic according to the following schedule.

For  $c_0 \times s_{0,c}$ , there the output from the respective multiplication logic 60 ... 63 is defined as  $e_{cycle, \, bit}$ , and d=0 for encryption and d=1 for decryption:

20

25

 $e_{07} = s_6$  XNOR NAND(d,  $s_{45}$ )  $e_{06} = s_5$  XNOR NAND(d,  $s_{347}$ )  $e_{05} = s_4$  XNOR NAND(d,  $s_{236}$ )  $e_{04} = s_{37}$  XNOR NAND(d,  $s_{125}$ )  $e_{03} = s_{27}$  XNOR NAND(d,  $s_{0157}$ )  $e_{02} = s_{17}$  XNOR NAND(d,  $s_{0567}$ )  $e_{01} = s_0$  XNOR NAND(d,  $s_{67}$ )  $e_{01} = s_7$  XNOR NAND(d,  $s_{56}$ )

Similarly, for  $c_1 \times s_{1,c}$ :

 $e_{17} = s_7 XNOR NAND(d, s_4)$ 

```
e_{16} = s_6 \text{ XNOR NAND}(d, s_{37})
e_{15} = s_5 \text{ XNOR NAND}(d, s_{267})
e_{14} = s_4 \text{ XNOR NAND}(d, s_{1567})
e_{13} = s_3 \text{ XNOR NAND}(d, s_{056})
e_{12} = s_2 \text{ XNOR NAND}(d, s_{57})
e_{11} = s_1 \text{ XNOR NAND}(d, s_6)
e_{10} = s_0 \text{ XNOR NAND}(d, s_5)
```

Similarly, for  $c_2 \times s_{2, c}$ :

10

 $e_{27} = s_7 \text{ XNOR NAND}(d, s_{45})$   $e_{26} = s_6 \text{ XNOR NAND}(d, s_{347})$   $e_{25} = s_5 \text{ XNOR NAND}(d, s_{236})$   $e_{24} = s_4 \text{ XNOR NAND}(d, s_{125})$   $e_{23} = s_3 \text{ XNOR NAND}(d, s_{015})$   $e_{22} = s_2 \text{ XNOR NAND}(d, s_{0567})$   $e_{21} = s_1 \text{ XNOR NAND}(d, s_{67})$   $e_{20} = s_0 \text{ XNOR NAND}(d, s_{56})$ 

Similarly, for  $c_3 \times s_{3,c}$ :

 $e_{37} = s_{67} \text{ XNOR NAND(d, s}_4)$   $e_{36} = s_{56} \text{ XNOR NAND(d, s}_{37})$   $e_{35} = s_{45} \text{ XNOR NAND(d, s}_{267})$ 25  $e_{34} = s_{347} \text{ XNOR NAND(d, s}_{1567})$   $e_{33} = s_{23} \text{ XOR s}_7 \text{ XNOR NAND(d, s}_{056})$   $e_{32} = s_{12} \text{ XOR s}_7 \text{ XNOR NAND(d, s}_{57})$   $e_{31} = s_{01} \text{ XNOR NAND(d, s}_6)$   $e_{30} = s_{07} \text{ XNOR NAND(d, s}_5)$ 

where:

PCT/IB03/02583

10

 $a_{57} = a_5 XOR a_7$  $a_{07} = a_0 XOR a_7$  $a_{34} = a_3 XOR a_4$  $a_{567} = a_7 XOR a_{56}$  $a_{125} = a_{12} XOR a_5$  $a_{1567} = a_{17} XOR a_{56}$  $a_{37} = a_3 XOR a_7$  $a_{67} = a_6 XOR a_7$  $a_{23} = a_2 XOR a_3$  $a_{056} = a_0 XOR a_{56}$ 10  $a_{267} = a_2 XOR a_{67}$  $a_{27} = a_2 XOR a_7$  $a_{56} = a_5 XOR a_6$  $a_{12} = a_1 XOR a_2$  $a_{347} = a_{34} XOR a_7$ 15  $a_{0157} = a_{01} XOR a_{57}$  $a_{17} = a_1 XOR a_7$  $a_{45} = a_4 XOR a_5$  $a_{01} = a_0 XOR a_1$  $a_{236} = a_{23} XOR a_6$ 20  $a_{0567} = a_{07} XOR a_{56}$ 

This requires 23 XOR gates, 32 XNOR gates and 32 NAND gates.

Other embodiments are intentionally within the scope of the accompanying claims.

#### **CLAIMS**

1. A logic circuit for multiplication of an  $(m \times n)$  matrix by a  $(1 \times n)$  or by a  $(m \times 1)$  matrix, where m is a number of rows and n is a number of columns, and wherein each successive row m of n elements is a predetermined row permutation of a preceding row, the circuit comprising:

n multiplication circuits (60...63) each having an input and an output which returns the value of said input multiplied by a predetermined multiplicand;

n logic circuits, (70...73) each for executing a predetermined logical combination of a first input and a second input to provide a logical output, the first input being coupled to the output of a corresponding one of the n multiplication circuits;

n registers (80...83) for receiving said logical output;

feedback logic for routing the contents of each register to a selected one of the second inputs in accordance with a feedback plan that corresponds to the predetermined row permutation; and

control means for successively providing as input to each of the n multiplication circuits each element in the (1  $\times$  n) or (m  $\times$  1) matrix.

20

30

10

- 2. The logic circuit of claim 1 in which the feedback logic provides a feedback plan corresponding to said predetermined row permutation that is a row shift.
- 3. The logic circuit of claim 2 in which the row shift is a single element right shift.
  - 4. The logic circuit of claim 1 in which the n logic circuits are each adapted to execute an XOR-combination of said first input and said second input.

12

- 5. The logic circuit of claim 1 in which each of the predetermined multiplicands corresponds to one of the elements in the AES Rijndael MixColumns transform function.
- 6. The logic circuit of claim 5 in which the number m=4, the number n=4, the multiplicand for the first multiplication circuit = 02, the multiplicand for the second multiplication circuit = 03, the multiplicand for the third multiplication circuit = 01, and the multiplicand for the fourth multiplication circuit = 01.

10

15

5

- 7. The logic circuit of claim 5 in which the number m=4, the number n=4, the multiplicand for the first multiplication circuit = 0E, the multiplicand for the second multiplication circuit = 0B, the multiplicand for the third multiplication circuit = 0D, and the multiplicand for the fourth multiplication circuit = 09.
- 8. The logic circuit of claim 6 or claim 7 in which the four multiplicands are switchable between the values in claim 6 and the values in claim 7.

20

9. The logic circuit of claim 1 in which the control means is adapted to successively provide as input to each of the n multiplication circuits each successive element in the  $(1 \times n)$  or  $(m \times 1)$  matrix over each of n or m cycles of operation respectively.

- 10. The logic circuit of claim 1 in which each of the n multiplication circuits, each of the n logic circuits, and each of the n registers are at least eight bits wide.
- 30
- 11. The logic circuit of claim 1 in which the control means further includes means for providing as output from said logic circuit the contents of the n registers after each *n*th cycle.

12. The logic circuit of claim 1 in which the control means further includes means for resetting each of the registers prior to the first calculation cycle.

- 13. The logic circuit of claim 1 in which each successive row m of n elements is a predetermined row permutation of the immediately preceding row.
- 10 14. An AES MixColumns transform circuit incorporating the logic circuit of any one of claims 1 to 13.
- 15. An AES encryption and/or decryption engine incorporating the logic circuit of any one of claims 1 to 13 for performing the MixColumnstransform.
  - 16. Apparatus substantially as described herein with reference to the accompanying drawings.





FIG.2

# This Page is Inserted by IFW Indexing and Scanning Operations and is not part of the Official Record

## **BEST AVAILABLE IMAGES**

Defective images within this document are accurate representations of the original documents submitted by the applicant.

| Defects in the images include but are not limited to the items checked: |  |  |
|-------------------------------------------------------------------------|--|--|
| BLACK BORDERS                                                           |  |  |
| IMAGE CUT OFF AT TOP, BOTTOM OR SIDES                                   |  |  |
| ☐ FADED TEXT OR DRAWING                                                 |  |  |
| ☑ BLURRED OR ILLEGIBLE TEXT OR DRAWING                                  |  |  |
| ☐ SKEWED/SLANTED IMAGES                                                 |  |  |
| ☐ COLOR OR BLACK AND WHITE PHOTOGRAPHS                                  |  |  |
| ☐ GRAY SCALE DOCUMENTS                                                  |  |  |
| ☐ LINES OR MARKS ON ORIGINAL DOCUMENT                                   |  |  |
| REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY                   |  |  |
| OTHER:                                                                  |  |  |

# IMAGES ARE BEST AVAILABLE COPY.

As rescanning these documents will not correct the image problems checked, please do not report these problems to the IFW Image Problem Mailbox.